A new vulnerability has been discovered in Microsoft Windows Graphics Rendering Engine, which could allow an attacker to take complete control of an affected system. Exploitation may occur if a user views a specially crafted thumbnail image. In an email or web-based attack scenario, exploitation may occur if a user opens or previews a document containing a specially crafted thumbnail image received as an email attachment or hosted on a website. Alternatively, an attacker can place the specially crafted thumbnail image on a network share and convince the user to navigate to the file location using Windows Explorer. Successful exploitation of the vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

It should be noted that there is currently no patch available for this vulnerability and a working Metasploit Framework exploit module is available which results in remote code execution. The exploit has been tested by the MS-ISAC against a fully patched Windows XP SP3 system and confirmed to result in remote code execution.

UPDATED OVERVIEW:A patch has been made available for this vulnerability in Microsoft Bulletin MS11-006. Please note that MS11-006 now refers to the affected product as Windows Shell graphics processor. The original bulletin used Windows Graphics Rendering Engine.

SYSTEMS AFFECTED:

Windows XP

Windows Server 2003

Windows Vista

Windows Server 2008 SP2 and earlier

RISK:
Government:

Large and medium government entities: High

Small government entities: High

Businesses:

Large and medium business entities: High

Small business entities: High

Home users: High

ORIGINAL DESCRIPTION:
A new vulnerability has been discovered in Microsoft Windows Graphics Rendering Engine, which could allow an attacker to take complete control of an affected system. The vulnerability occurs when the Graphics Rendering Engine component of the operating system improperly parses a specially crafted thumbnail image. This may result in a stack overflow condition, allowing the attacker to execute arbitrary code in the context of the logged-on user.

In an email or web-based attack scenario, exploitation may occur if a user opens or previews a document containing a specially crafted thumbnail image received as an email attachment or hosted on a website. Alternatively, an attacker can place the specially crafted thumbnail image on a network share and convince the user to navigate to the file location using Windows Explorer. Successful exploitation of the vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Until a patch is available, Microsoft has posted details of a workaround in their advisory (see references below). The workaround lists how to modify the access control list (ACL) on shimgvw.dll. Please note that while this workaround will prevent the vulnerability being from exploited on vulnerable systems, media files typically handled by the Graphics Rendering Engine will not be displayed properly.

It should be noted that there is currently no patch available for this vulnerability and a working Metasploit Framework exploit module is available which results in remote code execution. The exploit has been tested by the MS-ISAC against a fully patched Windows XP SP3 system and confirmed to result in remote code execution.

UPDATED DESCRIPTION:A patch has been made available for this vulnerability in Microsoft Bulletin MS11-006.

ORIGINAL RECOMMENDATIONS:
We recommend the following actions be taken: